WordPress is adding both ‘noopener and noreferrer’ tags to external AND internal links opening in a new tab. Essentially anything that opens in a new window or tab (target_blank) on your WordPress site.
We noticed this earlier today after updating an article then viewing it’s source.
If you set a link to open in a new tab, WordPress will now, apart from adding the target=”_blank” tag. WordPress also adds the rel=”noopener noreferrer” tag automatically.
Not only that if you open any old post and save it, the tag will get added automatically. This has probably been done to avoid what is known as Reverse Tabnabbing.
Website owners should help to prevent such attacks and exploiting of the vulnerability. WordPress has taken this step to protect users.
Reverse Tabnabbing occurs the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.
- When you add noopener keyword, the new/other page cannot access your window object via window.opener
- The noreferrer keyword tells the browser to not collect HTTP referrer information when the link is followed.
- Firefox does not support noopener so you have to use rel=”noopener noreferrer”.